WO2024120403A1 - Procédé et appareil d'ouverture de session pour application, et dispositif informatique, support de stockage et puce - Google Patents

Procédé et appareil d'ouverture de session pour application, et dispositif informatique, support de stockage et puce Download PDF

Info

Publication number
WO2024120403A1
WO2024120403A1 PCT/CN2023/136541 CN2023136541W WO2024120403A1 WO 2024120403 A1 WO2024120403 A1 WO 2024120403A1 CN 2023136541 W CN2023136541 W CN 2023136541W WO 2024120403 A1 WO2024120403 A1 WO 2024120403A1
Authority
WO
WIPO (PCT)
Prior art keywords
login
login authentication
authentication mode
user
web application
Prior art date
Application number
PCT/CN2023/136541
Other languages
English (en)
Chinese (zh)
Inventor
陈岩
许国彪
孙冬冬
张云
肖宇
梁伟亮
Original Assignee
顺丰科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 顺丰科技有限公司 filed Critical 顺丰科技有限公司
Publication of WO2024120403A1 publication Critical patent/WO2024120403A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application belongs to the field of software development technology, and in particular, relates to a method and device for logging into an application, a computer device, a storage medium, and a chip.
  • the login authentication mode corresponding to a Web application is fixed, and a login authentication mode can include one or more login methods.
  • Different application scenarios of the same Web application often have different requirements for the login authentication mode, and a fixed login authentication mode is difficult to meet the requirements of different application scenarios.
  • the embodiments of the present application provide a method and apparatus for logging in to an application program, a computer device, a storage medium, and a chip, which can solve the technical problem of how to realize the switching of different login authentication modes of an application at a low cost in the related art.
  • the first aspect provides a login method for an application, wherein the Web application in the method includes a plurality of preset login authentication mode code modules and configuration files, wherein each login authentication mode code module corresponds to a login authentication mode, and the configuration file includes a login authentication mode configuration item, wherein a login authentication mode configuration item corresponds to a login authentication mode, and the login authentication mode configuration item in the configuration file determines the login authentication mode used by the Web application.
  • the login authentication mode of the Web application needs to be changed, it is only necessary to modify the login authentication mode configuration item in the configuration file to the login authentication mode configuration item corresponding to the login authentication mode to be adopted.
  • Such a modification method can avoid modifying a large amount of code, reduce the labor cost of switching the login mode of the Web application, and improve the efficiency of switching the login authentication mode of the Web application.
  • an embodiment of the present application provides a login device for an application, comprising: a receiving unit, configured to receive a An access request for a first Web application, wherein the first Web application includes a first configuration file and a plurality of preset login authentication mode code modules; each login authentication mode code module corresponds to a login authentication mode; the first configuration file includes a first login authentication mode configuration item, and the first login authentication mode configuration item is determined and set according to the first login authentication mode used by the first Web application; a determination unit is used to determine the first login authentication mode code module from the plurality of preset login authentication mode code modules in response to the access request according to the first login authentication mode configuration item in the first configuration file, and the first login authentication mode code module corresponds to the first login authentication mode; a login interface task unit is used to generate a login interface task according to the code in the first login authentication mode code module; a sending unit is used to send the login interface task to a terminal device, so that the terminal device displays a login interface of the first Web application based on the
  • an embodiment of the present application provides a computer-readable storage medium, in which a computer program or instructions are stored.
  • a computer reads and executes the computer program or instructions, the computer executes the steps of the method in any one of the embodiments of the first aspect above.
  • an embodiment of the present application provides a computer program product, which, when executed on a server, enables the server to execute the steps of the method in any one of the implementations in the first aspect above.
  • an embodiment of the present application provides a chip, comprising: a processor, configured to call and run a computer program from a memory, so that a computer device equipped with the chip executes a method as in any one of the embodiments of the first aspect above.
  • FIG. 1 is a flow chart of a method for configuring a login authentication mode of a Web application provided in an embodiment of the present application.
  • FIG. 2 is an interaction diagram of a method for logging into a Web application provided in an embodiment of the present application.
  • FIG. 3 is a schematic diagram of a login interface of a Web application provided in an embodiment of the present application.
  • FIG. 4 is a schematic diagram of a basic protocol process of CAS login used by a Web application in an embodiment of the present application.
  • FIG. 7 is a schematic diagram showing the principle of Shiro login used by a Web application in an embodiment of the present application.
  • FIG8 is a schematic diagram of a login interface of a Web application provided in another embodiment of the present application.
  • FIG. 9 is a schematic diagram showing the principle of OAuth login used by a Web application in an embodiment of the present application.
  • FIG. 10 is a structural block diagram of a login device for a Web application provided in an embodiment of the present application.
  • FIG. 11 is a schematic diagram of the structure of a computer device provided in an embodiment of the present application.
  • FIG. 12 is a schematic diagram of the structure of a computer-readable storage medium provided in an embodiment of the present application.
  • Web application also known as Web application, is an application that can be accessed through the Web. Users do not need to install other software, they only need a browser to access the Web application.
  • Login authentication mode refers to the specific technology used in the application login authentication process, such as CAS (Central Authentication Service) login for single sign-on for multiple application systems, OAuth (Open Authorization) login for flexible switching between this application and third-party applications, Shiro login for identity authentication and permission management, WeChat login for user convenience, etc., or it can be a login authentication mode that combines any two or more of CAS login, Shiro login, OAuth login and WeChat login.
  • CAS Central Authentication Service
  • OAuth Open Authorization
  • Login method refers to the specific operation method based on the user logging into the application, such as account and password login, third-party login (such as WeChat login, QQ login, etc.), scanning QR code login (using the client version application to scan the QR code of the web version application) or SMS verification code login, etc.
  • a login authentication mode can include one or more login methods.
  • different application scenarios may be different subordinate departments of the same group (eg, a corporation), and different application scenarios may also be different customers corresponding to the same Web application program.
  • department X1 in addition to the business data management system X, the users of department X1 also need to use multiple other application systems within the group. Therefore, it is hoped that the business data management system X and other application systems within the group can achieve single sign-on. Therefore, the current login authentication mode of the business data management system X meets the requirements of department X1.
  • department X1 there is no need to modify the business data management system X.
  • business data management system X For department X2, users of department X2 mainly use business data management system X, and do not need to use other application systems within the group. Therefore, users of department X2 hope that business data management system X can realize WeChat login.
  • the current login authentication mode of business data management system X does not meet the requirements of department X2. Therefore, when deploying business data management system X for department X2, in order to meet the requirements of department X2, it is necessary to modify business data management system X, such as redeveloping the login authentication mode part of business data management system X. Such modification involves the modification of a large amount of code content, which is a large workload and therefore requires a lot of manpower costs.
  • database service system Y (a Web application) among different customers is taken as an example to illustrate the situation where a fixed login authentication mode is difficult to meet the needs of different customers.
  • Enterprise A is a large-scale enterprise. In order to facilitate employees to use various applications, Enterprise A hopes that database service system Y can achieve single sign-on with other internal applications. Therefore, the current login authentication mode of database service system Y meets the requirements of Enterprise A.
  • Enterprise B which is a small enterprise, in order to facilitate employees to use database service system Y, Enterprise B hopes that database service system Y can be logged in using WeChat.
  • the current login authentication mode of database service system Y does not meet the requirements of Enterprise B. Therefore, when deploying database service system Y for Enterprise B, in order to meet the requirements of Enterprise B, it is necessary to modify database service system Y, such as redeveloping the login authentication mode of database service system Y. Such modifications involve the modification of a large amount of code content, which is a large workload and therefore requires a lot of manpower costs.
  • the present application provides a login method for an application, in which a Web application includes a plurality of preset login authentication mode code modules (also referred to as login parts) and a configuration file, wherein each login authentication mode code module corresponds to a login authentication mode, and the configuration file includes a login authentication mode configuration item, and one login authentication mode configuration item corresponds to one login authentication mode, and the login authentication mode configuration item in the configuration file determines the login authentication mode used by the Web application.
  • a modification method can avoid modifying a large amount of code, reduce the labor cost of switching the login authentication mode of the Web application, and improve the efficiency of switching the login authentication mode of the Web application.
  • the Web application in addition to multiple preset login authentication mode code modules and configuration files, the Web application also includes a business logic code module (also referred to as a business logic part).
  • a business logic code module also referred to as a business logic part.
  • the business logic code module includes the code corresponding to the business logic of the Web application, that is, it is used to implement the functions of the Web application related to the actual business.
  • the business logic code module can be used to process the business logic of adding, deleting, modifying and checking related to the Web application, abstract the business scenario, and perform operations such as reading data and modifying records according to different actions and steps in the business operation, so as to maintain the normal business operation of the Web application.
  • multiple preset login authentication mode code modules are used to implement functions related to the login process of the Web application.
  • the functions that can be implemented by a certain login authentication mode code module include: generating a login interface task corresponding to the preset login authentication mode, so that the terminal device displays the login interface based on the login interface task; authenticating the user according to the login information entered by the user on the login interface; when the user login authentication passes, calling the business logic code module to generate an application interface task of the Web application, so that the terminal device displays the application interface of the Web application based on the application interface task; when the user login authentication fails, a prompt task can be generated, so that the terminal device displays a login failure prompt message to the user based on the prompt task, so as to remind the user to log in again.
  • a Web application may adopt a microservice architecture, wherein a plurality of preset login authentication mode code modules are the first microservice module, and a business logic code module is the second microservice module. Specifically, after the user login authentication succeeds, the first microservice module calls the second microservice module through a remote procedure call (RPC).
  • RPC remote procedure call
  • the business logic code module can also be integrated with multiple preset login authentication mode code modules, that is, each login authentication mode code module is integrated with the business logic code module, that is, each login authentication mode code module includes all the codes that can implement the login function and business function of a Web application.
  • a login authentication mode configuration item is provided in the configuration file, the login authentication mode configuration item is modifiable content, and the login authentication mode configuration item included in the configuration file corresponds to the login authentication mode used by the Web application.
  • the login authentication mode configuration item in the configuration file matches the login authentication mode code module used; when logging into a Web application, a login authentication mode code module that matches the login authentication mode configuration item is selected, and the Web application is logged in based on the matched login authentication mode code module.
  • the configuration file can be a configuration file specifically used to set the login authentication mode configuration items, or it can be a configuration file shared by the login authentication mode configuration items and other configuration information, and this application does not impose any restrictions on this.
  • the configuration file or the login authentication mode configuration item in the configuration file can be hosted on a cloud platform. It is understandable that when the configuration file is hosted on a cloud platform, the configuration file will be stored on the cloud platform and locally, and the content of the configuration file in the cloud platform and the content in the local configuration file will change synchronously. Therefore, the login authentication mode of the Web application can be switched by modifying the login authentication mode configuration item in the configuration file of the cloud platform. And the configuration file in the cloud platform can be shared, that is, others can be authorized to modify the content of the configuration file through the cloud platform.
  • the cloud platform may be GitHub, Bitbucket, or Gitee (Code Cloud), etc.
  • the embodiments of the present application there is no limitation on the specific form of the cloud platform. As long as the cloud platform can realize synchronous modification of the configuration file content and the local configuration file content, and can realize the sharing of the cloud platform configuration file, the embodiments of the present application are not limited to this.
  • the login method of the corresponding Web application can be modified by modifying the content in the cloud platform configuration file.
  • the customer can be authorized to modify the content of the configuration file, which makes the modification of the login method of the Web application more convenient and quick.
  • FIG1 is a flow chart of a method for configuring a login authentication mode of a Web application provided in an embodiment of the present application.
  • the embodiment shown in FIG1 takes a first Web application as an example to illustrate the method for configuring a login authentication mode, but does not constitute a limitation on the protection scope of the present application.
  • the method may include S101 to S102. Each step is described below.
  • the first Web application includes a plurality of preset login authentication mode code modules and a first configuration file, and each login authentication mode code module corresponds to a login authentication mode.
  • S101 Determine a first login authentication mode used by a first Web application, where the first login authentication mode corresponds to a first login authentication mode code module, and the first login authentication mode code module is any one of a plurality of preset login authentication mode code modules.
  • the first login authentication mode used by the first Web application is determined according to user needs.
  • the first Web application includes three preset login authentication code modules, and since each login authentication code module corresponds to a login authentication mode, it means that the first Web application corresponds to three login authentication modes. Therefore, the first login authentication mode is any one of the three login authentication modes.
  • the first login authentication mode may include one login method or multiple login methods.
  • the first login authentication mode may only include account and password login.
  • the first login authentication mode may include account and password login and mobile phone verification code login. This application does not specifically limit the types of login methods included in the first login authentication mode.
  • the first login authentication mode can be CAS login, Shiro login, OAuth login, WeChat login, or any two or more of CAS login, Shiro login, OAuth login and WeChat login.
  • the first login authentication mode can also be any other available login authentication mode, which will not be repeated here.
  • S102 Setting a first login authentication configuration item in a first configuration file of a first Web application, wherein the first login authentication configuration item matches a first login authentication mode code module.
  • the first login authentication configuration item matches the first login authentication mode code module, specifically, the first login authentication configuration item and the first login authentication mode code module are paired; as long as the first login authentication configuration item is set in the first configuration file, the first Web application can automatically use the first login authentication code module to implement login.
  • a tag may be set in each preset login authentication mode code module, and the tags in different login authentication mode code modules are different. Assuming that the tag in the first login authentication mode code module is the first tag, when the first Web application needs to use the first login authentication mode (the login authentication mode corresponding to the first login authentication mode code module), it is only necessary to set the first login authentication mode configuration item in the first configuration file to the content corresponding to the first tag.
  • the @ConditionalOnExpression annotation may be used as the first marker in the first login authentication mode code module, and the annotation parameter of the @ConditionalOnExpression annotation may be set as the first login authentication mode configuration item in the first configuration file.
  • the first login authentication mode can be configured as the login authentication mode of the first Web application.
  • the configuration process only the content in the configuration file needs to be set (or modified), and the configuration process is very simple and convenient. The above process does not require any modification to the code of the first Web application, so a lot of manpower costs can be saved. Since the configuration process of the login authentication mode is relatively simple, the login authentication mode of the first Web application can be switched at any time, thereby improving user satisfaction with the first Web application.
  • a second login authentication code module can be added to the first Web application as required, and the second login mode corresponding to the second login authentication code module is different from the first login authentication mode. That is, a new login authentication mode can be added to the first Web application as required, thereby increasing the scope of application of the first Web application.
  • a login authentication mode of the first Web application can also be deleted as needed; during the deletion process, only one login authentication mode code module among multiple preset login authentication code modules needs to be deleted to delete the corresponding login authentication mode.
  • the user can use the first login authentication mode to log in to the first Web application.
  • the following describes the login method of the first Web application after configuring the first login authentication mode in conjunction with the accompanying drawings.
  • FIG2 is an interactive diagram of a method for logging into a Web application provided by an embodiment of the present application, in which a first Web application is used as an example for exemplary description. As shown in FIG2 , the method may include steps S201 to S212. Each step is described in detail below in conjunction with FIG2 .
  • Step S201 a terminal device receives a first operation from a user, where the first operation is used to open a first Web application.
  • the user may perform a first operation on the terminal device, and the first operation is used to open the first Web application.
  • the first operation may be the user inputting a URL corresponding to the first Web application in the browser, or the user clicking a client icon corresponding to the first Web application on the terminal device.
  • Step S202 the terminal device sends a first Web application access request to the server according to a first operation of the user.
  • Step S203 In response to the access request, the server determines a first login authentication mode code module from a plurality of preset login authentication mode code modules according to the first login authentication mode configuration item in the first configuration file, and the first login authentication mode code module corresponds to the first login authentication mode.
  • the first login authentication mode configuration item in the first configuration file is modifiable content, and the first login authentication mode configuration item is determined during the login authentication mode configuration process of the first Web application according to the first login authentication mode required by the customer.
  • the process of determining the first login authentication mode code module is the process of searching and matching the first login authentication mode configuration item in multiple preset login authentication mode code modules.
  • the specific method can refer to the content of matching the first login authentication configuration item with the first login authentication mode code module in step S102, which will not be repeated here.
  • a plurality of other Web applications may be deployed in the server, and different Web applications may have different login authentication modes. In this case, it is necessary to set up configuration files in the server for Web applications corresponding to different login authentication modes.
  • the first Web application deployed in the same server may correspond to a plurality of different application scenarios (for example, corresponding to different customers or departments), the same Web application may also correspond to different login authentication modes. In this case, it is also necessary to set up configuration files in the server for customers corresponding to different login authentication modes. Therefore, there may be a plurality of different configuration files in the server. Therefore, after receiving the access request of the Web application, the server needs to determine the required first configuration file from a plurality of configuration files.
  • the first Web application access request carries the identifier of the terminal device used by the user and the identifier of the first Web application; before step S203, the application login method further includes: the server determines the first configuration file from multiple configuration files according to the identifier of the first Web application and the identifier of the terminal device. In this method, the server identifies which Web application the first configuration file to be found belongs to according to the identifier of the first Web application, and identifies the application scenario of the first Web application (i.e., different customers or departments) according to the identifier of the terminal device.
  • the first Web application access request carries the identifier of the terminal device used by the user; before step S203, the application login method further includes: the server determines the first configuration file from multiple configuration files according to the identifier of the terminal device.
  • only the first Web application may be deployed in the server, and the first Web application service has multiple application scenarios (for example, corresponding to multiple customers or departments, etc.). Only one configuration file in the embodiment of the present application exists in the server. In this case, the configuration file in the server is the first configuration file.
  • Step S204 the server generates a login interface task according to the code in the first login authentication mode code module.
  • Step S205 The server sends the login interface task to the terminal device.
  • Step S206 the terminal device displays a login interface of the first Web application to the user based on the login interface task, where the login interface corresponds to the first login authentication mode.
  • the content displayed on the login interface is used to prompt and guide the user to perform the login operation.
  • the login interface may include a user and password input box, a mobile phone number and a verification code input box, or a QR code for scanning login through a third-party software, etc.
  • the content in the login interface is related to the login method included in the first login authentication mode.
  • the login authentication mode configuration item in the first configuration file is modifiable content, and the login authentication mode configuration item is determined in the login authentication mode configuration process of the first Web application according to the type of login authentication mode required by the customer. Therefore, when the login authentication mode of the first Web application needs to be modified, there is no need to modify the code content of the first Web application, and the first login authentication mode configuration item in the first configuration file can be directly modified.
  • the method is simple and easy to operate.
  • the terminal device displays the login interface to the user, which only completes the selection of the login mode of the first Web application.
  • the login method also includes a login operation performed by the user.
  • the login method also includes steps S207 to S213, and each step is described below.
  • Step S207 The terminal device receives the login operation performed by the user on the login interface displayed by the terminal device.
  • the login operation may be inputting a user name and password, or inputting a mobile phone number and a verification code, or scanning a QR code. In the embodiments of the present application, no specific limitation is made to this.
  • Step S208 The terminal device sends a user login authentication request to the server in response to the user's login operation.
  • Step S209 The server performs login authentication on the user based on the user login authentication request and obtains a login authentication result.
  • the user login authentication can be identity authentication or identity authentication and authority determination, wherein identity authentication is used to determine whether the user is a legitimate user of the first Web application, and authority determination refers to determining the functions of the first Web application that the user can use.
  • the login authentication result can be a successful login authentication or a failed login authentication.
  • Step S210 When the login authentication result is successful, the server generates an application interface task based on the code in the business logic code module.
  • Step S211 The server sends the application interface task to the terminal device.
  • Step S212 The terminal device displays the application interface of the first Web application to the user based on the application interface task.
  • the application interface refers to the interface displayed after the user successfully logs in to the first Web application, and the user uses the business functions of the first Web application in this interface.
  • the server when the server determines that the user login authentication fails, the server sends a login failure message to the terminal device and displays the first login interface to the user again to allow the user to perform login authentication again. In the case that the user login authentication fails, the login failure message is displayed to the user through the terminal device to remind the user to log in again, thereby improving the user experience.
  • the server when the server performs login authentication on a user, the server specifically uses the user information stored in the authentication interaction database to perform login authentication on the user and obtains a login authentication result; wherein the authentication interaction database includes multiple preset user information, and the user information in the authentication interaction database is periodically updated according to the user information in the target database, and the target database includes user information using the first login authentication mode.
  • the user information stored in the authentication interaction database is used to perform login authentication on the user, more specifically, by comparing the information input by the user with the user information in the interaction database.
  • the user inputs a user name and a password
  • the server searches and compares the data in the authentication interaction database. If the user name and password can be found, the login authentication is successful. If at least one of the user name and password cannot be found, the login authentication fails.
  • the user information stored in the target database is all user information. Regularly updating the authentication interaction database according to the target database can ensure that all newly added users can successfully log in to the first Web application, thereby improving the user experience; at the same time, it can prevent deleted users from logging in to the first Web application, thereby ensuring data security.
  • the server when the server performs login authentication on the user, it can specifically use the user information stored in the authentication interaction database to perform login authentication on the user and obtain the login authentication result; wherein the authentication interaction database includes the user information using the first login authentication mode, and the user information in the authentication interaction database is regularly updated using ETL (Extract-Transform-Load). Dynamically updating the authentication data in the authentication interaction database in combination with the ETL task can improve the update efficiency.
  • ETL Extract-Transform-Load
  • regular updates can be updating user information after a preset time period.
  • updates can be performed at a fixed time every day, every week, or every month.
  • the specific update frequency and update method can be set according to needs, and will not be described in detail here.
  • a Redis sentinel mode cluster is used to cache user-related session information generated during the login authentication process.
  • the Redis sentinel mode cluster is the Redis Sentinel cluster
  • the session information refers to the Session information.
  • multiple servers are used to cache the user-related Session information generated by the login authentication process.
  • the multiple servers include a master server and at least one slave server. Sentinel obtains whether the working status of the master server is normal through monitoring. When the master server fails, Sentinel will automatically failover and promote the slave server it monitors to the master server, thereby ensuring the high availability of the system and then ensuring the security of the stored Session information.
  • the session information includes the user information entered during the user login process.
  • the server stores the session information.
  • the data can be read through the memory (the Redis sentinel mode cluster stores the data in the memory), which is more convenient than reading from the data.
  • the data in the database can be read faster, which can improve the efficiency of login authentication; and it can realize the sharing of Session data between servers of different Web applications, improving the utilization of data.
  • FIG3 is a schematic diagram of a login interface of a Web application provided in an embodiment of the present application.
  • the login authentication mode corresponding to the login interface is CAS login.
  • the login authentication mode includes two login methods.
  • the login method displayed in the login interface shown in FIG3 is account password login. The user can switch the login method to scanning the QR code login by clicking the QR code icon in FIG3 .
  • CAS is a framework for single sign-on (SSO), and its full name is Central Authentication Service.
  • SSO single sign-on
  • CAS has the following features: (1) It is an open source enterprise-level single sign-on solution. (2)
  • the CAS server i.e., CAS Server
  • the CAS client supports clients in many languages (this client refers to the various Web applications in the single sign-on system), including Java, .Net, PHP, Perl, Apache, uPortal, Ruby, etc.
  • FIG4 is a schematic diagram of the basic protocol process of CAS login used by the Web application in an embodiment of the present application.
  • the framework of CAS login includes two parts: the CAS server (i.e., CAS Server) and the CAS client.
  • the CAS server needs to be deployed independently and is mainly responsible for user authentication; the CAS client is responsible for processing access requests for client-protected resources, and redirects to the CAS server when login is required.
  • the CAS client is deployed together with the protected client application (i.e., Web application) to protect the protected resources in a Filter manner.
  • the Web browser in FIG4 is the entry point for users to request access to the Web application.
  • Step 1 access service: The user sends a request to the CAS client to access the service resources provided by the Web application.
  • the CAS client analyzes whether the user's request contains a Service Ticket; if the request does not contain a Service Ticket, it means that the current user has not logged in (or the user is logging in to the Web application for the first time), so the CAS client executes the next step (i.e., step 2).
  • Step 2 Directed authentication: The CAS client redirects the user request to the CAS server.
  • Step 3 User authentication: i.e. user identity authentication. The user enters authentication information for login authentication. If the login authentication is successful, the next step (i.e. step 4) is executed.
  • Step 4 Issue a ticket: The CAS server will generate a random service ticket (Service Ticket).
  • Step 5 ticket verification: The CAS client and CAS server perform identity verification to ensure the legitimacy of the service ticket. After the verification is passed, the CAS client is allowed to access the service.
  • Step 6 Transmit user information: After the service ticket (Service Ticket) is verified, the CAS server transmits the user authentication result information (User name) to the CAS client.
  • the service ticket Service Ticket
  • the CAS server transmits the user authentication result information (User name) to the CAS client.
  • FIG5 is a flow chart of CAS login used by a Web application in an embodiment of the present application.
  • CAS login mainly includes authorization and authentication processes.
  • user information (such as user account password) stored in the database is used for authentication, and the user information in the database is updated using ETL.
  • the user's account and password are verified by using a database (for example, the user's company database can be integrated), and the user account and password information in the database is regularly updated by a scheduling task (using ETL).
  • a database for example, the user's company database can be integrated
  • ETL electronic book
  • Fig. 6 is a schematic diagram of a login interface of a Web application provided in another embodiment of the present application.
  • the login authentication mode corresponding to the login interface includes only one login method (account and password login), and the login authentication mode is Shiro login. It is known to those skilled in the art that other login methods can be added as needed in this login mode.
  • FIG7 is a schematic diagram of the Shiro login principle used by the Web application in an embodiment of the present application.
  • Shiro is a security framework based on Java that aims to simplify authentication and authorization.
  • the Shiro framework can be used in both JavaEE and JavaSE. It is mainly used to handle identity authentication, authorization, enterprise session management, encryption, etc. The following describes the various functional points numbered 1 to 5 in FIG7.
  • 3Session management each time a user logs in, it is a session. All user information exists in the session until the Web application is exited.
  • Shiro framework can be easily integrated into the Web environment.
  • the embodiment of the present application has made some improvements on the basis of the basic Shiro login authentication authorization.
  • the unimproved contents in FIG7 can be understood by referring to the definitions in the prior art, and will not be described here.
  • the improved contents are described below in conjunction with FIG7 .
  • the embodiment of the present application adds a customizable user filter 701 (Customer Filter) on the basis of the basic Shiro login authentication authorization to ensure the successful routing of the URLs (i.e., URL, Urluniform Resource Locator) of other interfaces after the login authentication in the web application.
  • a customizable user filter 701 Customer Filter
  • the embodiment of the present application can also use a Redis sentinel mode cluster (including a master server and at least one slave server) (implemented by the Redis function box 702 in FIG7 ) to cache the Session information of the logged-in user.
  • Such an operation enables the Session information to be directly obtained from the Redis sentinel mode cluster during login authentication, so that the Session information can be quickly read and written, thereby improving the efficiency of authentication and authorization.
  • the Redis sentinel mode realizes the sharing of user login Session information on the server of the Web application. This transformation can adapt to the vast majority of Web applications and further improve the efficiency of authentication and authorization.
  • FIG8 is a schematic diagram of a login interface of a Web application provided in another embodiment of the present application.
  • the login authentication mode corresponding to the login interface includes only one login method (account and password login), and the login authentication mode is OAuth login. It is known to those skilled in the art that other login methods can be added as needed under this login mode.
  • OAuth authentication is to allow third-party applications to authorize users to access the open platform (mainly the resource interface in the resource server of the platform) without obtaining sensitive user information (such as account password, user PIN, etc.).
  • FIG9 is a schematic diagram of the OAuth login used by the Web application in an embodiment of the present application.
  • the user uses the user agent (User Agent) to interact with the authentication server (Authorization Server) and the third-party application (Client).
  • the user agent User Agent
  • the process of OAuth login includes steps (A) to (E) shown in FIG9 , and each step is briefly described below.
  • the user (Resource Owner) must first remain logged in to the Web application (assuming it is Web application M) described in the implementation of this application, that is, the user has been authenticated in Web application M.
  • the Rediss sentinel mode cluster has stored the session information generated when the user logged in to the Web application M (the session information includes user information), and the authentication server can obtain the user information from the Rediss sentinel mode cluster.
  • the following process is the authentication steps when a user logs in to a third-party application.
  • the third-party application requests user authorization (Auth Code Request) (i.e. an operation interface pops up to ask the user to confirm authorization to the third-party application).
  • Auth Code Request i.e. an operation interface pops up to ask the user to confirm authorization to the third-party application.
  • the third-party application obtains the authorization code (Authorization Code) from the authentication server. After obtaining the authorization code, the authentication server web page where the user is located will jump to the callback address (redirect_uri) (that is, jump to the third-party application).
  • authorization code Authorization Code
  • the authentication server web page where the user is located will jump to the callback address (redirect_uri) (that is, jump to the third-party application).
  • the third-party application carries the "authorization code” and application authentication information (client_id&client_secret) to the authentication server in exchange for an Access token (Authorization Code+URI).
  • a Redis sentinel mode cluster (including a master server and at least one slave server) is introduced to store the user's Session information (mainly the user information (User Info) therein) and cache (Cache) information (i.e. the function implemented by the Redis function box 901 shown in FIG. 9), and the user information of multiple systems can be added (i.e. the function implemented by the function box 902 shown in FIG. 9), and the user information of multiple systems can be shared while using the OAuth login authentication mode.
  • the multiple systems (system A, system B, system C and system D in the function box 902 shown in FIG. 9) refer to multiple Web applications, that is, Redis can store the user information of multiple different Web applications, and the multiple servers of the Redis sentinel mode cluster can share Session data and be compatible with users of multiple systems.
  • the embodiment of the present application also provides a login device for the application, which includes a unit for executing each step performed by the server in the login method of the application in any of the above embodiments.
  • the login device 1000 of the application includes: a receiving unit 1001, a determining unit 1002, a login interface task unit 1003 and a sending unit 1004.
  • the receiving unit 1001 is used to receive an access request for a first Web application sent by a terminal device, where the first Web application includes a first configuration file and multiple preset login authentication mode code modules; each login authentication mode code module corresponds to a login authentication mode; the first configuration file includes a first login authentication mode configuration item, and the first login authentication mode configuration item is determined and set according to the first login authentication mode used by the first Web application.
  • the determination unit 1002 is used to determine, in response to an access request, a first login authentication mode code module from a plurality of preset login authentication mode code modules according to a first login authentication mode configuration item in a first configuration file, the first login authentication mode code module corresponding to the first login authentication mode.
  • the login interface task unit 1003 is used to generate a login interface task according to the code in the first login authentication mode code module.
  • the sending unit 1004 is used to send the login interface task to the terminal device, so that the terminal device displays the login interface of the first Web application based on the login interface task, and the login interface corresponds to the first login authentication mode.
  • the first configuration file is hosted on a cloud platform.
  • the first login authentication mode is CAS login, Shiro login, OAuth login, WeChat login, or a combination of any two or more of CAS login, Shiro login, OAuth login and WeChat login.
  • the first Web application includes a business logic code module
  • the application login device 1000 also includes a login authentication unit and an application interface generation unit.
  • the receiving unit 1001 is used to receive a user login authentication request sent by a terminal device, where the user login authentication request is sent by the terminal device in response to a login operation performed by a user on a login interface.
  • the login authentication unit is used to perform login authentication on the user based on the user login authentication request and obtain the login authentication result.
  • the application interface generation unit is used to generate an application interface task based on the code in the business logic code module when the login authentication result is a successful login authentication.
  • the sending unit 1004 is configured to send the application interface task to the terminal device, so that the terminal device displays the application interface of the first Web application based on the application interface task.
  • a login authentication unit is used to perform login authentication on the user based on the user login authentication request, using the user information stored in the authentication interaction database to obtain a login authentication result;
  • the authentication interaction database includes multiple preset user information
  • the target database includes user information using the first login authentication mode, and the user information in the authentication interaction database is periodically updated according to the user information in the target database.
  • the application login device 1000 further includes a cache unit.
  • the cache unit is used to cache the user-related session information generated during the login authentication process by using the Redis sentinel mode cluster when the login authentication result is a successful login authentication.
  • An embodiment of the present application also provides a computer device 1100.
  • the computer device in this embodiment can be a server in a method embodiment.
  • the computer device 1100 of this embodiment includes: a processor 1101, a memory 1102, and a computer program 1104 stored in the memory 1102 and executable on the processor 1101.
  • the computer program 1104 can be executed by the processor 1101 to generate instructions 1103, and the processor 1101 can implement the steps in the login method embodiments of the above-mentioned various applications according to the instructions 1103.
  • the processor 1101 executes the computer program 1104, the functions of each module/unit in the above-mentioned device embodiments are implemented, such as the functions of the receiving unit 1001 to the sending unit 1004 shown in Figure 10.
  • the computer program 1104 may be divided into one or more modules/units, one or more modules/units are stored in the memory 1102, and executed by the processor 1101 to complete the present application.
  • One or more modules/units may be a series of computer program instruction segments capable of completing specific functions, and the instruction segments are used to describe the execution process of the computer program 1104 in the computer device 1100.
  • FIG11 is merely an example of a computer device 1100 and does not constitute a limitation on the computer device 1100.
  • the computer device 1100 may include more or fewer components than shown in the figure, or a combination of certain components, or different components.
  • the computer device 1100 may also include input and output devices, network access devices, buses, etc.
  • the processor 1101 may be a central processing unit (CPU), or other general-purpose processors, digital signal processors (DSP), application-specific integrated circuits (ASIC), field-programmable gate arrays (FPGA), or other programmable logic devices, discrete gates, or transistor logic devices. Logic devices, discrete hardware components, etc.
  • a general purpose processor may be a microprocessor or the processor may also be any conventional processor, etc.
  • the memory 1102 may be an internal storage unit of the computer device 1100, such as a hard disk or memory of the computer device 1100.
  • the memory 1102 may also be an external storage device of the computer device 1100, such as a plug-in hard disk, a smart media card (SMC), a secure digital (SD) card, a flash card (Flash Card), etc. equipped on the computer device 1100.
  • the memory 1102 may also include both an internal storage unit of the computer device 1100 and an external storage device.
  • the memory 1102 is used to store computer programs and other programs and data required by the computer device 1100.
  • the memory 1102 may also be used to temporarily store data that has been output or is to be output.
  • the technicians in the relevant field can clearly understand that for the convenience and simplicity of description, only the division of the above-mentioned functional units and modules is used as an example for illustration.
  • the above-mentioned function allocation can be completed by different functional units and modules as needed, that is, the internal structure of the device can be divided into different functional units or modules to complete all or part of the functions described above.
  • the functional units and modules in the embodiment can be integrated in a processing unit, or each unit can exist physically separately, or two or more units can be integrated in one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or in the form of software functional units.
  • the embodiment of the present application also provides a computer-readable storage medium, as shown in FIG12 , in which a computer program or instruction 1201 is stored.
  • a computer reads and executes the computer program or instruction 1201
  • the computer executes the steps in the above-mentioned various method embodiments.
  • the readable medium may be a read-only memory (ROM) or a random access memory (RAM), which is not limited in the embodiment of the present application.
  • An embodiment of the present application provides a computer program product.
  • the server can implement the steps in the above-mentioned method embodiments when executing the server.
  • the embodiment of the present application also provides a chip, which includes: a processing unit and a communication unit, the processing unit, for example, may be a processor, and the communication unit, for example, may be an input/output interface, a pin or a circuit, etc.
  • the processing unit may execute computer instructions to enable a computer device to execute any of the login methods for the application provided in the embodiment of the present application.
  • the computer instructions are stored in a storage unit.
  • the storage unit is a storage unit within the chip, such as a register, a cache, etc.
  • the storage unit may also be a storage unit located outside the chip within the terminal, such as a ROM or other types of static storage devices that can store static information and instructions, random RAM, etc.
  • the processor mentioned in any of the above may be a CPU, a microprocessor, an ASIC, or one or more integrated circuits for controlling the display of the above-mentioned electronic device and the execution of the program of the control method.
  • the processing unit and the storage unit may be decoupled and respectively arranged on different physical devices, and connected by wire or wireless means to implement the respective functions of the processing unit and the storage unit, so as to support the system chip to implement the various functions in the above-mentioned embodiments.
  • the processing unit and the memory may also be coupled on the same device.
  • the chip provided in the embodiment of the present application can be an integrated circuit for implementing the login method of any of the above-mentioned applications, and the main function of the chip is to execute the steps or processes defined by the login method of the application in the embodiment of the present application, that is, to implement the login method of the application in the embodiment of the present application by hardware.
  • the computer-readable storage medium provided in the embodiment of the present application is mainly used to store a computer program, which, when executed, implements the steps or processes defined by the login method of any of the above-mentioned applications, that is, to implement the login method of the application in the embodiment of the present application in the form of computer software.
  • the disclosed devices/equipment and methods can be implemented in other ways.
  • the device/equipment embodiments described above are merely schematic, for example, the division of the modules or units is only a logical function division, and there may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed.
  • Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, indirect coupling or communication connection of devices or units, which can be electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.
  • the integrated module/unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium.
  • the present application implements all or part of the processes in the above-mentioned embodiment method, which can be completed by instructing the relevant hardware through a computer program.
  • the computer program can be stored in a computer-readable storage medium, and the computer program can implement the steps of the above-mentioned various method embodiments when executed by the processor.
  • the computer program includes computer program code, and the computer program code can be in source code form, object code form, executable file or some intermediate form.
  • the computer-readable medium may at least include: any entity or device that can carry the computer program code to the device/server, a recording medium, a computer memory, a read-only memory (ROM), a random access memory (RAM), an electric carrier signal, a telecommunication signal, and a software distribution medium.
  • a recording medium for example, a USB flash drive, a mobile hard disk, a magnetic disk or an optical disk.
  • ROM read-only memory
  • RAM random access memory
  • an electric carrier signal a telecommunication signal
  • a software distribution medium for example, a USB flash drive, a mobile hard disk, a magnetic disk or an optical disk.
  • computer-readable media cannot be electric carrier signals and telecommunication signals.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne un procédé et un appareil d'ouverture de session pour une application, ainsi qu'un dispositif informatique, un support de stockage et une puce. Le procédé comprend les étapes suivantes: la réception d'une demande d'accès pour une première application Web, laquelle demande d'accès est envoyée par un dispositif terminal; en réponse à la demande d'accès, la détermination d'un premier module de code de mode d'authentification de connexion parmi une pluralité de modules de code de mode d'authentification de connexion prédéfinis selon un premier élément de configuration de mode d'authentification de connexion dans un premier fichier de configuration; la génération d'une tâche d'interface de connexion selon un code dans le premier module de code de mode d'authentification de connexion; et l'envoi de la tâche d'interface de connexion au dispositif terminal, de sorte que le dispositif terminal affiche une interface de connexion de la première application Web sur la base de la tâche d'interface de connexion, l'interface de connexion correspondant à un premier mode d'authentification de connexion. Au moyen du procédé, un élément de configuration de mode d'authentification de connexion dans un fichier de configuration est modifié pour commuter un mode d'authentification de connexion d'une application Web, de sorte que le coût de main-d'oeuvre peut être réduit, et l'efficacité de commutation du mode d'authentification de connexion de l'application Web est améliorée.
PCT/CN2023/136541 2022-12-06 2023-12-05 Procédé et appareil d'ouverture de session pour application, et dispositif informatique, support de stockage et puce WO2024120403A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211556588.X 2022-12-06
CN202211556588.XA CN118157879A (zh) 2022-12-06 2022-12-06 Web应用程序的登录方法及装置

Publications (1)

Publication Number Publication Date
WO2024120403A1 true WO2024120403A1 (fr) 2024-06-13

Family

ID=91287559

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/136541 WO2024120403A1 (fr) 2022-12-06 2023-12-05 Procédé et appareil d'ouverture de session pour application, et dispositif informatique, support de stockage et puce

Country Status (2)

Country Link
CN (1) CN118157879A (fr)
WO (1) WO2024120403A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301328A (zh) * 2014-10-29 2015-01-21 北京思特奇信息技术股份有限公司 一种云计算环境下的资源操作安全认证方法及系统
CN107172008A (zh) * 2017-04-01 2017-09-15 北京芯盾时代科技有限公司 一种在移动设备中进行多系统认证及同步的系统和方法
WO2022151974A1 (fr) * 2021-01-15 2022-07-21 华为技术有限公司 Procédé d'ouverture de session de site web, système de communication et dispositif électronique
CN115189891A (zh) * 2022-07-07 2022-10-14 Oppo广东移动通信有限公司 应用程序登录方法、装置、终端及计算机可读存储介质

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301328A (zh) * 2014-10-29 2015-01-21 北京思特奇信息技术股份有限公司 一种云计算环境下的资源操作安全认证方法及系统
CN107172008A (zh) * 2017-04-01 2017-09-15 北京芯盾时代科技有限公司 一种在移动设备中进行多系统认证及同步的系统和方法
WO2022151974A1 (fr) * 2021-01-15 2022-07-21 华为技术有限公司 Procédé d'ouverture de session de site web, système de communication et dispositif électronique
CN115189891A (zh) * 2022-07-07 2022-10-14 Oppo广东移动通信有限公司 应用程序登录方法、装置、终端及计算机可读存储介质

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
XING XU, ZHU CHAOYANG, LIAO SHUHANG: "Security Upgrade of Campus Network Unified Identity Authentication Platform Based on OAuth2.0", NETWORK SECURITY TECHNOLOGY & APPLICATION, no. 8, 10 August 2022 (2022-08-10), pages 81 - 84, XP093179505 *

Also Published As

Publication number Publication date
CN118157879A (zh) 2024-06-07

Similar Documents

Publication Publication Date Title
US11916911B2 (en) Gateway enrollment for Internet of Things device management
US11658984B2 (en) Authenticating access to computing resources
US9467474B2 (en) Conjuring and providing profiles that manage execution of mobile applications
US11799841B2 (en) Providing intercommunication within a system that uses disparate authentication technologies
CN112039826B (zh) 应用于小程序端的登录方法和装置,电子设备,可读介质
US20170310659A1 (en) Protection of application passwords using a secure proxy
CN111526111B (zh) 登录轻应用的控制方法、装置和设备及计算机存储介质
CN113271296B (zh) 一种登录权限管理的方法和装置
CN110493239B (zh) 鉴权的方法和装置
CN113271311A (zh) 一种跨链网络中的数字身份管理方法及系统
CN107835181A (zh) 服务器集群的权限管理方法、装置、介质和电子设备
CN111814131B (zh) 一种设备注册和配置管理的方法和装置
US11977620B2 (en) Attestation of application identity for inter-app communications
US20140007259A1 (en) Methods for governing the disclosure of restricted data
CN108228280A (zh) 浏览器参数的配置方法及装置、存储介质、电子设备
WO2010012721A1 (fr) Diffusion d'informations à partir d'un traitement de chaîne de confiance
WO2024120403A1 (fr) Procédé et appareil d'ouverture de session pour application, et dispositif informatique, support de stockage et puce
CN113055186B (zh) 一种跨系统的业务处理方法、装置及系统
CN113765876B (zh) 报表处理软件的访问方法和装置
CN110602074B (zh) 一种基于主从关联的业务身份使用方法、装置及系统
CN110659476A (zh) 用于重置密码的方法和装置
CN115174062B (zh) 云服务认证方法、装置、设备及存储介质
CN110611656B (zh) 一种基于主身份多重映射的身份管理方法、装置及系统
US8788681B1 (en) Method and apparatus for autonomously managing a computer resource using a security certificate
CN118690400A (zh) 数据处理方法、装置、计算机设备、存储介质及产品

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23899977

Country of ref document: EP

Kind code of ref document: A1